Compare commits
2 commits
cf77666322
...
aef71f548a
Author | SHA1 | Date | |
---|---|---|---|
Tristan Daniël Maat | aef71f548a | ||
Tristan Daniël Maat | 501c3466bc |
|
@ -15,6 +15,7 @@
|
|||
(import ../modules)
|
||||
|
||||
./services/afvalcalendar.nix
|
||||
./services/auth.nix
|
||||
./services/backups.nix
|
||||
./services/battery-manager.nix
|
||||
./services/conduit.nix
|
||||
|
@ -131,7 +132,10 @@
|
|||
sudo.execWheelOnly = true;
|
||||
|
||||
pam = {
|
||||
enableSSHAgentAuth = true;
|
||||
sshAgentAuth = {
|
||||
enable = true;
|
||||
authorizedKeysFiles = ["/etc/ssh/authorized_keys.d/%u"];
|
||||
};
|
||||
services.sudo.sshAgentAuth = true;
|
||||
};
|
||||
};
|
||||
|
|
95
configuration/services/auth.nix
Normal file
95
configuration/services/auth.nix
Normal file
|
@ -0,0 +1,95 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
user = config.services.authelia.instances.main.user;
|
||||
domain = "auth.${config.services.nginx.domain}";
|
||||
in {
|
||||
services.authelia.instances.main = {
|
||||
enable = true;
|
||||
settings = {
|
||||
theme = "auto";
|
||||
|
||||
access_control.default_policy = "one_factor";
|
||||
|
||||
authentication_backend = {
|
||||
password_reset.disable = true;
|
||||
file.path = "/var/lib/authelia-main/users.yml";
|
||||
};
|
||||
|
||||
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
|
||||
|
||||
session = {
|
||||
domain = config.services.nginx.domain;
|
||||
redis.host = config.services.redis.servers.authelia.unixSocket;
|
||||
};
|
||||
|
||||
storage.postgres = {
|
||||
host = "/run/postgresql";
|
||||
port = 5432;
|
||||
database = user;
|
||||
username = user;
|
||||
|
||||
password = "unnecessary";
|
||||
};
|
||||
};
|
||||
|
||||
secrets = {
|
||||
storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database
|
||||
sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis
|
||||
jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.authelia-main.after = ["postgresql.service"];
|
||||
|
||||
services.nginx = {
|
||||
# TODO(tlater): Possibly remove on next authelia release
|
||||
additionalModules = with pkgs.nginxModules; [
|
||||
develkit
|
||||
set-misc
|
||||
];
|
||||
|
||||
virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
enableHSTS = true;
|
||||
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:9091";
|
||||
recommendedProxySettings = false;
|
||||
enableAutheliaProxy = true;
|
||||
};
|
||||
|
||||
"/api/verify" = {
|
||||
proxyPass = "http://127.0.0.1:9091";
|
||||
recommendedProxySettings = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.redis.servers.authelia = {
|
||||
inherit user;
|
||||
enable = true;
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"authelia/storageEncryptionKey" = {
|
||||
owner = user;
|
||||
group = user;
|
||||
};
|
||||
|
||||
"authelia/sessionSecret" = {
|
||||
owner = user;
|
||||
group = user;
|
||||
};
|
||||
|
||||
"authelia/jwtSecret" = {
|
||||
owner = user;
|
||||
group = user;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -40,6 +40,7 @@ in {
|
|||
forceSSL = true;
|
||||
useACMEHost = "tlater.net";
|
||||
enableHSTS = true;
|
||||
enableAuthorization = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,6 +3,9 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
# Update pending on rewrite of nextcloud news, though there is an
|
||||
# alpha to switch to if it becomes necessary:
|
||||
# https://github.com/nextcloud/news/issues/2610
|
||||
nextcloud = pkgs.nextcloud27;
|
||||
hostName = "nextcloud.${config.services.nginx.domain}";
|
||||
in {
|
||||
|
@ -17,15 +20,16 @@ in {
|
|||
configureRedis = true;
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
||||
dbtype = "pgsql";
|
||||
dbhost = "/run/postgresql";
|
||||
|
||||
adminuser = "tlater";
|
||||
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
|
||||
};
|
||||
|
||||
defaultPhoneRegion = "AT";
|
||||
settings = {
|
||||
default_phone_region = "AT";
|
||||
overwriteprotocol = "https";
|
||||
};
|
||||
|
||||
phpOptions = {
|
||||
|
@ -37,8 +41,6 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.redis.vmOverCommit = true;
|
||||
|
||||
# Ensure that this service doesn't start before postgres is ready
|
||||
systemd.services.nextcloud-setup.after = ["postgresql.service"];
|
||||
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
{pkgs, ...}: {
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
services.postgresql = {
|
||||
package = pkgs.postgresql_14;
|
||||
enable = true;
|
||||
|
@ -24,11 +28,16 @@
|
|||
name = "nextcloud";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
{
|
||||
name = config.services.authelia.instances.main.user;
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
|
||||
ensureDatabases = [
|
||||
"grafana"
|
||||
"nextcloud"
|
||||
config.services.authelia.instances.main.user
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -242,16 +242,16 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1714272655,
|
||||
"narHash": "sha256-3/ghIWCve93ngkx5eNPdHIKJP/pMzSr5Wc4rNKE1wOc=",
|
||||
"lastModified": 1718208800,
|
||||
"narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "12430e43bd9b81a6b4e79e64f87c624ade701eaf",
|
||||
"rev": "cc54fb41d13736e92229c21627ea4f22199fee6b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-23.11",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
description = "tlater.net host configuration";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str]
|
||||
authelia:
|
||||
storageEncryptionKey: ENC[AES256_GCM,data:OUCC+6Gcr6U7Mub1+DaIyswTV6da1wd1u0WGEm4wpJ8L0mi7WSpEmVjH79YyRhp7AmiZhdFFDXFeEYthBb2AZl+xoS9gqs6rWyfU4ezaCbXBiS/dIhsA5foPg13wq5A33qJWtPTy7DJEgqHaIonnaBuVJIBwH3wzPTHc3bDvBo4=,iv:intiZzngz5cMTtjEI9rTKMW0Xv3KB3ZEgtYN3amwKCE=,tag:AKxfbeZlPs54esHCsVnNCg==,type:str]
|
||||
sessionSecret: ENC[AES256_GCM,data:GEMWhBltOIOs0g9FsWk3OQGs6dMcbwz3ZuhlyBFYROylsIZb4xTXWLgNwIpHwQukQU3TgvIxbCW/fGRWiALPanE2koSVAHNx0UU0hj1mVNRFQGK4H3EL10tPp7l4PofrcdeCbLPrOwM/xLOuPt+52sKlcbL2Awz5/MmpUVpCKXc=,iv:kWX2ptOpTgW3obBgri0MvVv6gCEPR3o77sldOXFQeks=,tag:je4pqLcEOhuBTQkoZHYNCw==,type:str]
|
||||
battery-manager:
|
||||
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
|
||||
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
|
||||
|
@ -32,8 +34,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-04-15T23:13:18Z"
|
||||
mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str]
|
||||
lastmodified: "2024-04-11T23:38:56Z"
|
||||
mac: ENC[AES256_GCM,data:GjIB0EbWsh4o+QoFSyIXgGYnNhRlvfSmue1LyTt6oUlIjNgODhdIB8px8LnRo0rmm/f1YHbDq2MFOxlgdm3PTNaqm/MoKyW3r/wuAeWADsYayQszLNxyhTMXcjWtfm6zCRIuc/+YyM44pXRfVrOZRAin9B6pmJZsRJwBAZpogbU=,iv:r/ZQZvrP0E9dOW5fhBH2I21Z0uv2e3njdEGmadxEALg=,tag:iZvbGTvRJFo80n8aoKSSmQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-03-18T04:02:00Z"
|
||||
enc: |-
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str]
|
||||
authelia:
|
||||
storageEncryptionKey: ENC[AES256_GCM,data:8X6Zvq7ct1MkMH+lc5kTTHXOo6rGyhSzc3aWxGRA5tnBet+TGcENo0RYTYmactsPGVpTIUGGplaG7B7dqRPhkdDHhbCCZCm2nLaYjpVJ241DrpUNKHn8lvg/bMxUQ/Dvw76ByYuWN6bREr3XRaBztBSPzld8zTSYx71I0CKY7vk=,iv:cJSwfuVWO39qqKCGt2Mvw7pN8+hD6kRH9v4c/u4hLuk=,tag:YhdlXuX2ETxjb443RI8MsA==,type:str]
|
||||
sessionSecret: ENC[AES256_GCM,data:dnoWmc4HND62w3jMXL+akncAEb61c/I70DgRytx55Wxcn4rMiswp6zCkRdsP4CkouTQ1lyAcQrubp5I8M9Kyow/KBMYz9dPkr4+2xJ9w0SEmAVhyPe2DFvYos3x0Uvx5S0B3o1mXoXqbg78e4w5yEIbALiJT8VPGrWK8Cl4nVPo=,iv:FHDXUW2DWUmEZzWUYkYduogdVOtvMlRH4/fVg05cZaI=,tag:u282WQnHpBsZGYJH7mFFKA==,type:str]
|
||||
jwtSecret: ENC[AES256_GCM,data:0M3AyoMp+orrljl5NsxmthzrHMmu0REcz7+9fpFKbwwqV6KqlpgGddjYZIsTpHEWEq9zhZ2YWLJkMxKdDgROVHUFZGKut28JPSAjjY+1V0wxNBnfSCnxEv5BUw2+cCxcpCwYQyNfRK6SotTt8aqpxvda4oRXpzxV6SW7ogDjc6E=,iv:D57SynZkW2JuFyX6bpZYkxpR2KtkOmKaySg1Bxim0r8=,tag:JCPGZaumdHrtgcH16A7b+g==,type:str]
|
||||
battery-manager:
|
||||
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
|
||||
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
|
||||
|
@ -32,8 +35,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-04-15T23:13:27Z"
|
||||
mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
|
||||
lastmodified: "2024-04-12T01:00:31Z"
|
||||
mac: ENC[AES256_GCM,data:fVnMwfvGi7vtP1Fg4NLrhGvLF2PcIgZPOcwk4Ssm4iw5iSj0K1npOX3pd5BWzyszqchfYYRHY99GllAump0bZmprVAld9rf70B2HZIVvowBPuUXfc9Cz/5q0z+s8bQ5vCdElW1Bh7h8W/POePdc8cFGAyBS4i1ZVNheIDOHdDjI=,iv:Bi6rekXOx3/dwwPRryF3CoAoQi3D06ABysRF1oBeG5A=,tag:0TCra+AkhBDczj4uvAzKMw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-12-29T15:25:27Z"
|
||||
enc: |
|
||||
|
|
|
@ -11,12 +11,72 @@
|
|||
};
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
autheliaDomain = "auth.${config.services.nginx.domain}";
|
||||
extraLocationOptions = {config, ...}: {
|
||||
options = {
|
||||
enableAutheliaProxy = lib.mkEnableOption "Enable recommended authelia proxy settings";
|
||||
enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
|
||||
};
|
||||
|
||||
config = {
|
||||
recommendedProxySettings = lib.mkIf config.enableAutheliaProxy false;
|
||||
|
||||
extraConfig = lib.concatStringsSep "\n" [
|
||||
(lib.optionalString config.enableAutheliaProxy ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-URI $request_uri;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Connection "";
|
||||
|
||||
client_body_buffer_size 128k;
|
||||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
||||
proxy_redirect http:// $scheme://;
|
||||
proxy_http_version 1.1;
|
||||
proxy_cache_bypass $cookie_session;
|
||||
proxy_no_cache $cookie_session;
|
||||
proxy_buffers 64 256k;
|
||||
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
|
||||
send_timeout 5m;
|
||||
proxy_read_timeout 360;
|
||||
proxy_send_timeout 360;
|
||||
proxy_connect_timeout 360;
|
||||
'')
|
||||
(lib.optionalString config.enableAuthorization ''
|
||||
auth_request /authelia;
|
||||
|
||||
set_escape_uri $target_url $scheme://$http_host$request_uri;
|
||||
|
||||
auth_request_set $user $upstream_http_remote_user;
|
||||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
auth_request_set $name $upstream_http_remote_name;
|
||||
auth_request_set $email $upstream_http_remote_email;
|
||||
|
||||
proxy_set_header Remote-User $user;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
proxy_set_header Remote-Email $email;
|
||||
proxy_set_header Remote-Name $name;
|
||||
|
||||
error_page 401 =302 https://${autheliaDomain}/?rd=$target_url;
|
||||
'')
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
extraVirtualHostOptions = {
|
||||
name,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
options = {
|
||||
enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
|
||||
enableHSTS = lib.mkEnableOption "Enable HSTS";
|
||||
|
||||
addAccessLog = lib.mkOption {
|
||||
|
@ -26,6 +86,10 @@
|
|||
Add special logging to `/var/log/nginx/''${serverName}`
|
||||
'';
|
||||
};
|
||||
|
||||
locations = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule extraLocationOptions);
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
@ -37,6 +101,41 @@
|
|||
access_log /var/log/nginx/${name}/access.log upstream_time;
|
||||
'')
|
||||
];
|
||||
|
||||
locations = lib.mkIf config.enableAuthorization {
|
||||
"/".enableAuthorization = true;
|
||||
"/authelia" = {
|
||||
proxyPass = "http://127.0.0.1:9091/api/verify";
|
||||
recommendedProxySettings = false;
|
||||
extraConfig = ''
|
||||
internal;
|
||||
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header Connection "";
|
||||
|
||||
proxy_pass_request_body off;
|
||||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
||||
proxy_redirect http:// $scheme://;
|
||||
proxy_http_version 1.1;
|
||||
proxy_cache_bypass $cookie_session;
|
||||
proxy_no_cache $cookie_session;
|
||||
proxy_buffers 4 32k;
|
||||
client_body_buffer_size 128k;
|
||||
|
||||
send_timeout 5m;
|
||||
proxy_read_timeout 240;
|
||||
proxy_send_timeout 240;
|
||||
proxy_connect_timeout 240;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
|
|
Loading…
Reference in a new issue